If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Strange Connections Part II

Hello,

I have been using netstat fairly frequently because I had a trojan (svchost.exe) on my machine a week ago and check if there are any backdoors, crap, etc. Nothing shows up other than http connections but the strangest things are two connections to the localhost (me) on two consecutive ports(usually 1035, 1036). When I first login these two connections are always there, sometimes they switch ips(4451,4450). I ran fport and could not find any processes attached to these ports. What is opening the connection?

edit: ran netstat -ao and found the PID to be mozilla's, why is it creating a connection to me?

newinnash, svchost.exe is not a trojan, that is the service host process that allows processes to load from .dll libraries. It's a Windows system process. Now if what you meant was svchosts.exe or scvhost.exe, then yes, these are trojans.

Hope that clears that up. As for the ports, look at the entries for your loopback IP (127.0.0.1)
There should be several ports used by your browser that loop to your IP address on those ports. Mozilla (Internet Explorer) is most likely making the connections automatically via loopback. Remember that IE is integrated into the shell, therefore it will do this even if a browser window is not active.

BTW, IE is based on Mosaic (Developed by NSCA and licensed by Netscape, which was later renamed Navigator), as was Mozilla. Therefore you will see similar port loopback behavior with any Netscape, Mozilla, or IE version, as they all share Mosaic as a common ancestor.

Windows 9x:n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.

Thanks, I was confused because those connections had never appeared while I was running IE. Much thanks. The trojan I had was named svchost.exe, I know there are legimate processes with the same name run under SYSTEM, but this one was run under my user name and tried to connect to the internet as a server and a client. I removed it, and its evil registry key.